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DETAILED ACTION 

Response to Amendments 

1. This Continued Examination Office Action is in reply to the Request for Continued Examination filed on 28 
July 2009. 

2. Claims 1 and 19 have been amended. 

3. Claims 5 and 22 have been cancelled. 

4. Claims 1-4, 6-21, and 23-30 are currently pending and have been examined. 

Continued Examination Under 37 CFR 1.114 

5. A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was 
filed in this application after final rejection. Since this application is eligible for continued examination under 
37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous 
Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 28 July 2009 
has been entered. 

Response to Amendment 
Response to Arguments 

6. Applicant's arguments filed 28 July 2009 have been fully considered but they are not persuasive. 

7. Applicant submits that Callahan (U.S. Pub. No. 2003/0229525) does not teach or suggest in amended Claim 
1 : (1 J assessing an impact on: external/internal customers, financial, regulatory obligations resulting from 
the services from the outside service provider; assessing an allowable time period that the degradation of 
the services from the outside service provider can last [see Remarks page 1 1 , last paragraph through page 
12, last paragraph]. 
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With regard to argument (1), the Examiner respectfully disagrees. Callahan teaches assessing an 
impact on: external/internal customers (company's consumer customer information), financial (financial, 
account balances, account numbers, and transactions) (see at least paragraphs 25-32 and 60), regulatory 
obligations (compliance risks, monitoring compliance with the GLBA [Gramm-Leach-Bliley Act (GLBA)) (see 
at least paragraphs 2, 20, and 36), resulting from the services from the outside service provider. (The 
Examiner notes that although Callahan does not expressly teach the specific data recited in amended Claim 
1, these differences are only found in the non-functional descriptive material and are not functionally 
involved in the steps recited nor do they alter the recited structural elements. The recited method steps 
would be performed the same regardless of the specific data. Further, the structural elements remain the 
same regardless of the specific data. Thus, this descriptive material will not distinguish the claimed 
invention from the prior art in terms of patentability, see In re Gulack, 703 F.2d 1381, 1385, 217 USPQ 401, 
404 (Fed. Cir. 1983); In re Lowry, 32 F.3d 1579, 32 USPQ2d 1031 (Fed. Cir. 1994); MPEP 2106). 

Callahan does not specifically teach assessing an allowable time period that the degradation of the 
services from the outside service provider can last. Callahan in view of Bott does not specifically teach 
assessing an allowable time period that the degradation of the services from the outside service provider 
can last. Callahan in view of Bott and in further view of Borgia teach assessing an allowable time period 
(risk acknowledgement approval period) that the degradation of the services from the outside service 
provider can last (expiration, thirty day warning) (Borgia, see at least column 12, lines 32-62). 



Claim Rejections - 35 USC § 103 



8. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth 
in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 1 02 of this title, if the differences between the subject matter sought to be patented and the prior art 
are such that the subject matter as a whole would have been obvious at the time the invention was made to 
a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

9. Claims 1-4, 6-21, and 23-30 are rejected under 35 U.S.C. 103(a) as being unpatentable over Callahan (U.S. 
Pub. No. 2003/0229525) in view of Bott (U.S. 6,856,973) and in further view of Borgia et al (Borgia) (U.S. 



Pub. No. 2002/0129221). 
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With regard to Claim 1, Callahan teaches a method and system comprising: 

• identifying, via a user interface, outside service provider information that describes 
the outside service provider (provide a population of all third-party providers and risk- 
rank them) (see at least paragraph 0028). 

• storing the outside service provider information in a database (Assessment templates, 
612, are also stored in fixed storage) (see at least paragraph 0043). 

• identifying, via the user interface, resource information that describes resources of the 
enterprise associated with services provided by the outside service provider (the type 
of data shared between the financial services company and the provider) (see at least 
paragraph 0028). 

• storing the resource information in the database (Assessment templates, 612, are 
also stored in fixed storage) (see at least paragraph 0043). 

• assessing (risk assessment module), via server, an impact (impact value) on the 
enterprise from a degradation (perceivable threats, damage that could occur, 
insufficient to ensure compliance in an area represented by the question) of the 
services from the outside service provider (Third Party Service Provider, the impact is 
less critical than if account balances, account numbers, and transactions were 
revealed) (see at least paragraphs 0025-0028 and 0060), wherein assessing the 
impact on the enterprise comprises assessing a business impact on the enterprise 
(risk, probability and impact (R, P, I), business organization) (see at least paragraphs 
0066-0070 and FIG. 20), wherein assessing the business impact on the enterprise 
further comprises: assessing an impact on: external/internal customers (company's 
consumer customer information), financial (financial, account balances, account 
numbers, and transactions) (see at least paragraphs 25-32 and 60), regulatory 
obligations (compliance risks, monitoring compliance with the GLBA [Gramm-Leach- 
Bliley Act (GLBA)) (see at least paragraphs 2, 20, and 36), resulting from the services 
from the outside service provider; 

• storing the assessment in the database (Assessment templates, 612, are also stored 
in fixed storage) (see at least paragraph 0043). 
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• automatically, via the server, determining a criticality of the outside service provider in 
response to the assessment the impact is less critical than if account balances, 
account numbers, and transactions were revealed, (overall risk rating, assessment) 
(see at least paragraphs 0060 and 0069-0071). 

• storing the criticality in the database (Assessment templates, 612, are also stored in 
fixed storage) (see at least paragraph 0043). 

• providing, via the user interface, status data from the database (SQL database) (see 
at least paragraph 0055), wherein the status data comprises at least one of a status 
of: 

o the resource information 

o the assessment (updated to change the status of the assessment) (see 

at least paragraph 0055). 
o the criticality (critical) (see at least paragraph 0060). 

(The Examiner notes that although Callahan does not expressly teach the specific data recited in 
amended Claim 1, these differences are only found in the non-functional descriptive material and are not 
functionally involved in the steps recited nor do they alter the recited structural elements. The recited 
method steps would be performed the same regardless of the specific data. Further, the structural elements 
remain the same regardless of the specific data. Thus, this descriptive material will not distinguish the 
claimed invention from the prior art in terms of patentability, see In re Gulack, 703 F.2d 1381, 1385, 217 
USPQ 401, 404 (Fed. Cir. 1983); In re Lowry, 32 F.3d 1579, 32 USPQ2d 1031 (Fed. Cir. 1994); MPEP 
2106). 

Callahan does not specifically teach assessing a country impact on the enterprise. Bott teaches 
assessing a country impact on the enterprise (Re-exports, are also highly correlated to imports so that their 
impact on the net foreign asset position of a country is less significant, country risk assessment system, 
volatility risk) (see at least column 7, line 39 through column 8, line 22 and Figure 4) in analogous art of 
assessing creditworthiness of a country for the purposes of, "[u]nits of government could use their legal 
empowerment to delay or discontinue transactions" (see at least column 6, lines 20-37, column 7, line 39 
through column 8, line 22 and Figure 4). 
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It would have been obvious to one of ordinary skill in the art at the time of the invention to combine 
the volatility risk of that country as taught by Bott with the integrated compliance monitoring method of 
Callahan. One of ordinary skill in the art would have been motivated to do so for the benefit of knowing an 
updated status of a country's ability to maintain a strong economic status (Bott, column 8, lines 10-22). 

Callahan and Bott do not teach assessing an allowable time period that the degradation of the 
services from the outside service provider can last. Borgia teaches assessing an allowable time period (risk 
acknowledgement approval period) that the degradation of the services from the outside service provider 
can last (expiration, thirty day warning) in analogous art of tracking compliance with policies related to 
management of risk for the purposes of a warning that a corrective action plan is due to expire (see at least 
column 12, lines 32-62). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to combine 
the disaster recover preparedness plan as taught by Borgia with the economic and risk factors of a country 
as taught by Bott and the integrated compliance monitoring method of Callahan. One of ordinary skill in the 
art would have been motivated to do so for the benefit of having a notification or alarm to warn prior to an 
expiration of a corrective action plan (Borgia, column 12, lines 32-62). 

With regard to Claim 19, Callahan teaches a system, interface, database server, and application 
server (Microsoft's Internet Information Services) (see at least paragraph 0047). Claim 19 is further 
substantially similar to claim 1 and is rejected for the same rationale as set forth above in Claim 1 . 
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With regard to Claims 2 and 20, Callahan does not specifically teach identifying countries in which 
the outside service provider operates and determining a country impact risk associated with the countries, 
wherein the step of automatically determining the criticality is also in response to the country impact risk. 
Bott teaches identifying countries in which the outside service provider operates and determining a country 
impact risk (country risk assessment system, volatility risk) associated with the countries, wherein the step of 
automatically determining the criticality is also in response to the country impact risk (drastic action is 
required, drastic measures) in analogous art of assessing creditworthiness of a country for the purposes of, 
"[u]nits of government could use their legal empowerment to delay or discontinue transactions" (see at least 
column 7, line 39 through column 8, line 22 and Figure 4). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to combine 
the volatility risk of that country as taught by Bott with the integrated compliance monitoring method of 
Callahan. One of ordinary skill in the art would have been motivated to do so for the benefit of knowing an 
updated status of a country's ability to maintain a strong economic status (Bott, column 8, lines 10-22). 

With regard to Claim 3, Callahan does not specifically teach collecting economic condition 
information with respect to the country; storing the economic condition information in the database; 
collecting social condition information with respect to the country; storing the social condition information in 
the database; collecting political condition information with respect to the country; add storing the political 
condition information in the database. Bott teaches collecting economic (economic) condition information 
with respect to the country; storing the economic condition information in the database (creating a database 
of economic scores for the country) (see at least column 1, lines 36-45); collecting social condition (social) 
information with respect to the country; storing the social condition information in the database; collecting 
political condition information with respect to the country; add storing the political condition (political) (see at 
least column 4, lines 64-67 and column 5, lines 1-7) information in the database in analogous art of 
assessing creditworthiness of a country for the purposes of, "[f]actors that may interfere with an ability or 
willingness of a country and its economic agents to honor their financial or contractual obligations to non- 
resident owners...) (see at least column 5, lines 2-7). 
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It would have been obvious to one of ordinary skill in the art at the time of the invention to combine 
the economic and risk factors of a country as taught by Bott with the integrated compliance monitoring 
method of Callahan. One of ordinary skill in the art would have been motivated to do so for the benefit of 
implementing a country risk assessment system (Bott, column 4, lines 64-67). 

(The Examiner notes that although Bott does not expressly teach the specific data recited in Claim 
3, these differences are only found in the non-functional descriptive material and are not functionally 
involved in the steps recited nor do they alter the recited structural elements. The recited method steps 
would be performed the same regardless of the specific data. Further, the structural elements remain the 
same regardless of the specific data. Thus, this descriptive material will not distinguish the claimed 
invention from the prior art in terms of patentability, see In re Gulack, 703 F.2d 1381, 1385, 217 USPQ 401, 
404 (Fed. Cir. 1983); In re Lowry, 32 F.3d 1579, 32 USPQ2d 1031 (Fed. Cir. 1994); MPEP 2106). 

With regard to Claims 4 and 21, Callahan teaches wherein at least one of the resources of the 
enterprise includes at least one software application employed by the enterprise (Application Software) (see 
at least paragraph 0029). 

With regard to Claims 6 and 23, Callahan teaches assigning specific people (data guardian) to fulfill 
roles with respect to management of a relationship with the outside service provider, wherein the roles 
include at least one of information owner and information risk manager (see at least paragraph 0034). 

With regard to Claims 7 and 24, Callahan teaches receiving acknowledgements of the acceptances 
of the assignments from the specific people (obtains a sign-off from the approver) (see at least paragraph 
0034). 

With regard to Claims 8 and 25, Callahan teaches assigning alternate people to fulfill the roles (one 
or more re-viewers or "data guardians") (see at least paragraph 0026). 
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With regard to Claim 9, Callahan teaches wherein the role of the information owner comprises at 
least one of: 

• obtaining from the outside service provider copies of financial and non-financial audit 
reports (audits) (see at least paragraph 0024). 

• obtaining documentation describing the outside service provider's procedural, 
physical access, logical access and business recovery controls (emphasizing those 
that have access to or who manipulate, store, transmit or destroy the company's 
consumer customer information) (see at least paragraph 0028). 

• requiring notification by the outside service provider of any organization, security- 
related and other changes affecting the availability, confidentiality, or integrity of the 
services provided by the outside service provider. 

• initiating the risk assessment process (The process starts at 201) (see at least 
paragraph 0026). 

(The Examiner notes that although Callahan does not expressly teach the specific data recited in 
Claim 9, these differences are only found in the non-functional descriptive material and are not functionally 
involved in the steps recited nor do they alter the recited structural elements. The recited method steps 
would be performed the same regardless of the specific data. Further, the structural elements remain the 
same regardless of the specific data. Thus, this descriptive material will not distinguish the claimed 
invention from the prior art in terms of patentability, see In re Gulack, 703 F.2d 1381, 1385, 217 USPQ 401, 
404 (Fed. Cir. 1983); In re Lowry, 32 F.3d 1579, 32 USPQ2d 1031 (Fed. Cir. 1994); MPEP 2106). 
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With regard to Claim 10, Callahan teaches wherein the role of information risk manager (data 
guardian) comprises at least one of: 

• maintaining an updated list of outside service providers used by the enterprise (the 
database is kept updated) (see at least paragraphs 0054-0056). 

• allocating resources for the outside service provider assessment process. 

(The Examiner notes that although Callahan does not expressly teach the specific data recited in 
Claim 10, these differences are only found in the non-functional descriptive material and are not functionally 
involved in the steps recited nor do they alter the recited structural elements. The recited method steps 
would be performed the same regardless of the specific data. Further, the structural elements remain the 
same regardless of the specific data. Thus, this descriptive material will not distinguish the claimed 
invention from the prior art in terms of patentability, see In re Gulack, 703 F.2d 1381, 1385, 217 USPQ 401, 
404 (Fed. Cir. 1983); In re Lowry, 32 F.3d 1579, 32 USPQ2d 1031 (Fed. Cir. 1994); MPEP 2106). 

With regard to Claims 1 1 and 30, Callahan teaches wherein all of the steps of the method are 
facilitated using a software application (risk assessment module), the method further comprising: 

• generating data input screens for accepting input from a user (screens that show 
detail of how comments are entered and risk values are established) (see at least 
paragraph 0059). 

• providing drop down boxes on the data input screens in order to facilitate selection of 
predefined information (a drop-down box, accessed from the tab, displays that 
progress) (see at least paragraph 0058). 
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With regard to Claims 12 and 26, Callahan and Bott do not teach assessing a recovery plan of the 
outside service provider. Borgia teaches assessing a recovery plan (plan accessible to a crisis team for 
recovery) of the outside service provider (see at least paragraph 0043) in analogous art of tracking 
compliance with policies related to management of risk for the purposes of "...an information policy provides 
the requirements for disaster recover preparedness" (see at least paragraph 0043). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to combine 
the disaster recover preparedness plan as taught by Borgia with the economic and risk factors of a country 
as taught by Bott and the integrated compliance monitoring method of Callahan. One of ordinary skill in the 
art would have been motivated to do so for the benefit of un-interrupted business process due to a backup 
recovery plan (Borgia, paragraph 0043). 

With regard to Claims 13 and 27, Callahan and Bott do not teach questioning the developer of the 
plan as to whether it has required elements; and developing a corrective action plan to address missing 
required elements. Borgia teaches questioning the developer (risk management assessor) of the plan as to 
whether it has required elements (consisting of a series of questions that must be answered with appropriate 
responses to product compliance) and developing a corrective action plan to address missing required 
elements (reviews areas of non-compliance and the associated risk acknowledgements to provide approval 
if appropriate) in analogous art of tracking compliance with policies related to management of risk for the 
purposes of" having an approved process or plan in place to achieve compliance" (see at least paragraphs 
0043-0057). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to combine 
the disaster recover preparedness plan as taught by Borgia with the economic and risk factors of a country 
as taught by Bott and the integrated compliance monitoring method of Callahan. One of ordinary skill in the 
art would have been motivated to do so for the benefit of increased awareness and corrective measures for 
missing elements or non-compliance with a business institution (Borgia, paragraphs 0043-0057). 
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With regard to Claims 14 and 28, Callahan and Bott do not teach an alternate site for providing the 
services; and a business continuity plan for resumption of the services at the alternate site. Borgia teaches 
an alternate site for providing the services (may depend upon such factors as whether information is stored 
off site on a regular basis) and a business continuity plan for resumption of the services at the alternate site 
(Once risk is acknowledged, a plan for reducing the risk or bringing the project into compliance can be 
formulated) in analogous art of tracking compliance with policies related to management of risk for the 
purposes of "The rating for disaster recovery readiness may depend upon such factors as whether 
information is stored off site on a regular basis, intervals in which system backups are made, robustness of 
computer recovery systems (see at least paragraph 0017). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to combine 
the disaster recover preparedness plan as taught by Borgia with the economic and risk factors of a country 
as taught by Bott and the integrated compliance monitoring method of Callahan. One of ordinary skill in the 
art would have been motivated to do so for the benefit of survivability due to a disaster by having an 
alternate backup (Borgia, paragraph 0017). 

With regard to Claims 15 and 29, teaches providing status data on the enterprise level; providing 
status data on a line of business level; and providing status data on a department level (handle assessments 
at whatever level a business unit or the enterprise wants, executives, administrators, senior managers) (see 
at least paragraph 0032). 

With regard to Claim 16, Callahan teaches wherein the enterprise has policies and procedures 
(policies and procedures) for protecting the integrity of the provision of services (Identify perceivable threats, 
evaluate the likelihood of those threats), the method further comprising assessing the compliance 
(compliance) of the outside service provider to the policies and procedures (see at least paragraph 0025). 

With regard to Claim 17, Callahan teaches developing a corrective action plan if the outside service 
provider is not in compliance, the corrective action plan containing the steps required to bring the outside 
service provider into compliance (The assessor works through whatever corrective action needs to be taken 
on the assessment and re-submits it to the data guardian) (see at least paragraph 0057). 
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With regard to Claim 18, Callahan teaches obtaining an acknowledgement by management of the 
enterprise of risk associated with the non-compliance of the outside service provider (non-compliance is 
indicated based on a response or group of responses) (see at least paragraph 0023). 

Conclusion 



10. 



The following prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
• Kansal (U.S. 6,647,374) discloses a system and method of assessing and rating vendor risk and 
pricing of technology delivery insurance. 
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Any inquiry concerning this communication or earlier communications from the examiner should be directed 
to THOMAS MANSFIELD whose telephone number is (571)270-1904. The examiner can normally be reached on 
Monday-Thursday 8:30 am-6 pm, alt. Fridays. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Bradley Bayat 
can be reached on 571-272-6704. The fax phone number for the organization where this application or proceeding is 
assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent Application Information 
Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or 
Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more 
information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the 
Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like 
assistance from a USPTO Customer Service Representative or access to the automated information system, call 
800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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Examiner, Art Unit 3624 
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Thomas Mansfield 
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